Keith is an architect by day, blogger by night. He’s responsible for all the content on this blog, and irresponsible for everything else.
Last Month, I embarked on a new project called GovTLS Audit, a simple(ish) program that would scan 1000+ government websites to check for their TLS implementation. The code would go through a list of hostnames, and scan each host for TLS implementation details like redirection properties, certificate details, http headers, even stiching together Shodan results into a single comprehensive data...
Let’s start this post the same way I start my day — by looking at Facebook. Facebook made $40 Billion dollars in revenue in 2017, solely from advertising to pure schmucks like you. The mantra among the more technically literate is that facebook doesn’t have users it has products that it sells to advertisers, it just so happens that all its products are homo-sapien smart-phone...
Let’s start with the basics. Data Breaches are common — and will continue to be the norm. How the App Economy and Big Data ruined it As we shifted towards the ‘App-Economy’ and ‘Big-Data’ (circa 3 years ago), consumers begun sharing more data with more apps. Everyone and their granny, wanted to create a new app, and everyone was told to collect as much data as...
Last week I launched a draft of the Gov.my Audit, and this week we have version 2.0 Here’s what changed: Added More Sites. We now scan a total of 1324 government websites, up from just 1180. Added Shodan Results. Results includes both the open ports and time of the Shodan scan (scary shit!) Added Site Title. Results now include the HTML title to give a better description of the site...
Previously, I moaned about dermaorgan.gov.my, a site that was probably hacked but was still running without basic TLS. This is unacceptable, that in 2018, we have government run websites, that ask for personal information, running without TLS. So I decided to check just how many .gov.my sites actually implemented TLS, and how many would start being labled ‘not secure’ by Google in...
220,000 is a lot of people. It’s the population of a small town like Taiping, and roughly twice the capacity of Bukit Jalil Stadium. Yet today, a data breach of this size, barely registers in the news-cycle. After all, the previous data breach was 200 times bigger, and occurred just 3 months ago. How could we take seriously something that occurs so frequently, and on a scale very few...
Part 1: An intro to Data Breaches Let’s start with some basics. What is a Data Breach? According to Verizon, a data breach is when you’ve confirmed that data has been lost to an attacker, while a data incident is merely something that ‘may’ result in a breach. An incident is when a laptop goes missing from your company’s office. A breach is when the data on that...
Consider this a bonus piece from my long thoughts about data breaches. You might the older post before reading this. So let’s dive in. The telco breach was a giant hairball of issues, and one of the strands in the hairball is false prepaid registrations. Immediately after releasing sayakenahack, people reported that they were seeing additional numbers linked to their mykad numbers. From...
While designing sayakenahack, the biggest problem I faced was trying to write millions of rows efficiently into DynamoDB. I slowly worked my way up from 100 rows/second to around the 1500 rows/second range, and here’s how I got there. Work with Batch Write Item First mistake I did was a data modelling error. Sayakenahack was supposed to take a single field (IC Number) and return the results...
Posting this here first, my thoughts to follow. Random thoughts below are draft :). Random thoughts on the matter We still need a single identifier in Malaysia (IC Number), this is administrative necessity. LHDN needs to check your bank accounts, Election Commission needs to know you’re not double-voting..etc. But that single identifier should not be used as an authenticator. No one should...